Network Management

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Occasional Contributor I

IAPs not showing up in Airwave after SSL cert change

Hi airheads,

I changed the SSL cert from our Airwave to a signed cert from our internal CA. Everything is fine, switches and CAPs are still online and working.

Except of a cluster of IAPs from one site. The communication stopped and I do not find a way how to get them working again. In the meantime I deleted all IAPs from this cluster in Airwave, deleted the folder configuration etc., rebooted Airwave, but still no luck. I can see https traffic from the virtual controller to Airwave, but nothing appearing in Airwave.

Airwave is 8.2.10.1; IAPs are 8.5.0.2

 

Any ideas?

Highlighted

Re: IAPs not showing up in Airwave after SSL cert change

System --> Event log will be a good place to start with. We would be messages there when IAP tries to check in.

 

Regards,
Vishnu
If my post helped you, don't forget to give kudos ;)
Highlighted
Occasional Contributor I

Re: IAPs not showing up in Airwave after SSL cert change

Thanks for your response!

 

Nothing to see in Event Log.

I rebooted all IAPs in the meantime. On IAP, I ran command "show ap debug airwave" and see status "Connected".

 

"Show log ap-debug" tells me the following:

awc_init_connection: 2550: connected to 10.xxx.xxx.xxx:443

Failed to establish SSL connection: Error code is -1:ASN parsing error, invalid input

awc_login: awc_init error

 

"Show log provisioning" shows me:

Airwave In progress Connecting to primary AMP server at 10.xxx.xxx.xxx...

Airwave In progress Connected with primary AMP server 10.xxx.xxx.xxx, logging in...

Airwave Debug Logging out of AMP server primary

Airwave Failed Error establishing SSL connection to AMP server at 10.xxx.xxx.xxx: ASN parsing error, invalid input

Airwave Failed Login aborted due to incomplete response from primary AMP server

 

Highlighted
MVP Expert

Re: IAPs not showing up in Airwave after SSL cert change

Are you using certificate based authentication in Airwave or PSK if it is certificate based then you might hitting a known security advisory.

 

Is this issue started after installing Airwave or IAP SSL certificate?

 

Make sure certificate have complete chain.

 

Check attached copy of Aruba Advisory.


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Occasional Contributor I

Re: IAPs not showing up in Airwave after SSL cert change

It's configured for PSK only.

The problem started when changing the SSL certificate on Airwave. I did not upload/change anything on IAP until now. 

In the meantime I did an update to 8.5.0.6 for the cluster, but the problem still exists with the same messages in logfile.

Highlighted
MVP Expert

Re: IAPs not showing up in Airwave after SSL cert change

Check below details of certificate for proper IAP-Airwave communication.


-Does your installed certificate have keyUsage and extKeyUsage extensions?
-If it is not required , it can be removed since the Airwave default cert does not add them.
-If you want to have them,you can add the keyEncipherment and keyAgreement flag while signing the certificate.
-Also if you have configured ext-keyUsage which suggest to add the KeyEncipherment to be set in KeyUsage when extKeyUsage extension is configured.
-The maximum policy ID length is 64
-New items like id-smime-capabilities, id-ms-application-certificate-policies, id-ms-certificate-template are present

 


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.